In the recent case of European Data Protection Supervisor v Single Resolution Board ("EDPS v SRB"), the Court of Justice of the European Union ("CJEU") addressed the legal status of pseudonymised data and the obligations of data controllers when sharing such data with third parties. The case arose after the Single Resolution Board ("SRB"), an EU agency, shared pseudonymised comments from affected shareholders and creditors with Deloitte, an external consultant, during the resolution of Banco Popular Español. The European Data Protection Supervisor ("EDPS") found that the SRB had failed to inform data subjects that their data would be shared with Deloitte, in breach of transparency obligations under Regulation (EU) 2018/1725. The General Court initially annulled the EDPS's decision, holding that the assessment of whether data is personal should be made from the recipient's perspective, if the recipient cannot reasonably re-identify individuals, the data may not be personal data in their hands. On appeal, the CJEU clarified that the context and risk of re-identification are crucial in determining whether pseudonymised data remains personal data, and that controllers must assess and document these risks when sharing data.
Although delivered within the EU legal framework, the CJEU's reasoning in EDPS v SRB offers valuable guidance to South African organisations that qualify as "responsible parties" under the Protection of Personal Information Act 4 of 2013 ("POPIA"). In particular, the judgment illustrates how a context-specific, risk-based approach to pseudonymisation and data sharing can operate in practice. Against that backdrop, the following implications arise for POPIA-regulated entities:
Context-specific identifiability and pseudonymisation
POPIA's exclusions clause removes "de-identified" information from the Act's scope only where it cannot be re-identified by a reasonably foreseeable method. The EDPS v SRB judgment reinforces a core lesson: identifiability must be assessed from the perspective of the party in possession of the data at any given moment. A responsible party that retains the re-identification key will continue to process "personal information" and must therefore comply with all eight POPIA conditions. Conversely, once the data is disclosed - without the key - to a recipient that has no foreseeable means of re-identification, the dataset will generally be non-personal information in that recipient's hands. Responsible parties should:
- maintain a robust internal pseudonymisation protocol (allocation of unique codes, secure segregation of the linking dataset, and strict access controls);
- document the technical and organisational measures demonstrating that a recipient cannot reasonably re-identify the data subjects; and
- periodically test whether new technologies or additional data sources have altered the re-identification risk.
Transparency duties remain with the responsible
party
Even where onward disclosure renders the dataset
non-identifiable for the recipient, the responsible party must
still satisfy POPIA's openness and notification requirements.
Privacy notices should:
- name or describe all third-party recipients (including consultants and service providers) who will receive the pseudonymised dataset;
- explain that the recipient will receive only de-identified information and lacks any means of re‑identification; and
- set out the purposes of the disclosure in clear, specific terms, alongside the applicable legal basis.
Operator contracts and due diligence
When a responsible party appoints an "operator" (processor) to perform services on pseudonymised data, POPIA requires a written agreement mandating security safeguards equivalent to those imposed on the responsible party. Building on the EDPS v SRB rationale, the contract should also: prohibit the operator from attempting to obtain, or otherwise gaining access to, the re-identification key; include warranties that the operator lacks - and will not seek - additional datasets that could reasonably facilitate re-identification; and impose an obligation to notify the responsible party immediately if any circumstance arises that could change the identifiability risk profile.
Risk assessments and record-keeping
POPIA obliges responsible parties to implement "appropriate, reasonable" measures to identify foreseeable risks. Prior to any disclosure of pseudonymised data, entities should conduct and document a risk assessment addressing: the nature of the data elements remaining in the dataset; the likelihood that the recipient (or anyone to whom the recipient could grant access) could combine the dataset with other information to re-identify data subjects; and the legal, contractual, and technical barriers preventing such re-identification. These assessments should be retained as part of the responsible party's processing records.
Data subject participation and exercise of rights
Because the responsible party retains the re-identification key, it alone remains capable of responding meaningfully to data subject requests (access, correction, deletion). Internal procedures must ensure that: pseudonymisation keys are retrievable by authorised personnel only when necessary to fulfil a data subject request; and any deletions or corrections made at the data subject's direction are propagated to both the identifiable and pseudonymised versions of the dataset, or that appropriate technical measures are in place to prevent re-linkage.
Cross-border transfers
POPIA restricts transfers of personal information outside South Africa. Where only a pseudonymised dataset (without the key) is transferred, responsible parties may argue that POPIA not engaged because the recipient processes non-personal information. Nonetheless, prudent organisations should analyse and document why the dataset, in the recipient's context, is no longer personal information; and if any residual risk of re-identification exists, comply with POPIA (among other things) by ensuring that the foreign recipient is subject to adequate protection, contractual safeguards, or binding corporate rules.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
